Iran Threatens Israel’s Critical Infrastructure With ‘Polonium’ Proxy

Cyber mimics life, as Iran uses Lebanese hackers to attack its bête noire.

Israel’s critical infrastructure is under threat from an Iranian proxy hacking group operating in Lebanon.

Iran’s partnership with armed militant groups throughout the Middle East is well documented. Less widely known is its collaboration with extranational hackers, like “Polonium” (aka “Plaid Rain”), which since 2021 has seemingly operated with the sole purpose of attacking Israel.

According to Microsoft, in the spring of 2022 alone, Polonium spied on more than 20 Israeli organizations across commercial, critical, and government sectors, including transportation, critical manufacturing, IT, finance, agriculture, and healthcare.

Now the group seems to have taken a step up. On Dec. 4, Israel’s National Cyber Directorate warned that Polonium has targeted further critical infrastructure sectors, including water and energy. And besides espionage, the Directorate wrote, “a trend to implement destructive attacks has recently been identified.”

Dark Reading has reached out to Israel’s Ministry of Defense for further details, but has not yet received a reply.

Polonium’s M.O.

From a country with only a few, relatively quiet APT groups — Volatile Cedar, Tempting Cedar, and Dark Caracal — one may be tempted to underestimate Polonium.

[The Dark Reading Report continues]

And rather than packaging these backdoors as a monolith, the hackers divided them up into fragments – tiny files, each with limited functionality. For example, one dynamic link library (DLL) file would be responsible for screen grabs, and then another took care of uploading them to a C2 server. “The idea is to split functionalities into various components, so that individual components look less suspicious to security software,” explains Matias Porolli, malware researcher at ESET.

Even as Polonium evolved its tools and tactics in recent months, it still stuck to this formula.

[The Dark Reading Report continues]

Iran’s Proxy Cyber War

[The Dark Reading Report continues]

That its attackers are not always the ones pulling the strings only makes defending against them that more difficult, says Maria Cunningham, director of threat research ReliaQuest. “Russia is often the first nation-state that comes to mind here,” she says, though “an interesting modus operandi is often displayed by threat actors attributed to North Korea which may well look criminal in nature at first glance.”

“This can provide plausible deniability for the attacker; for the defender, it can limit attribution and, more importantly, hinder the understanding of what might come next in the attacker’s armory,” she says.